Physical Cryptanalysis

A complete break of the KeeLoq access control system.

Home FAQ More Info Contact
    Frequently asked questions about breaking KeeLoq access controls. This page is subject to frequent changes.
FAQ

    Attacks


    Q: How likely is it that your attack will be used against garage door opening systems?
    A: Even though many garage doors rely on KeeLoq, we do not believe that this is particularly likely. There are many systems in use which are even weaker than KeeLoq. Those systems typically rely on a fixed-code. Overcoming such a simply "security" scheme is obviously much easier than our KeeLoq attack. However, systems using KeeLoq are vulnerable through our attack.

    Q: How likely is it that someone will break into my car through overcoming KeeLoq?
    A: This is difficult to say, as most car manufacturers do not release any details about their security system. It seems likely that the majority (or possibly all) German automotive manufacturers to not employ KeeLoq. Also, one should not confuse car-door opening with immobilizers. It seems quite likely that even cars which employ KeeLoq for car-door opening use a different scheme for the immobilizer system.

    Q: How difficult is the attack ?
    A: There are two phases to the attack. For the first phase, we estimate that an engineer without previous knowledge about DPA (Differential Power Analysis) and cryptography will need 4-6 months to develop the expertise. For the second phase, during which actual systems are attacked, only moderate knowledge and equipment is needed.

    Q: Does cloning of my remote control require physical access to it ?
    A: No, eavesdropping of two messages sent from the remote control to the garage is sufficient, in case the manufacturer key is known.

    Q: Do you need my own receiver to produce a new valid transmitter for my garage ?
    A: No, any receiver from the same brand and model is sufficient to obtain the manufacturer key needed for producing a new valid transmitter for your garage.

    Q: What is the range for eavesdropping my remote control, in order to clone it ?
    A: Depending on the details of your remote keyless entry system (e.g., frequency ...) the range for cloning a remote control is between 50 meters and several hundred meters.

    Q: What is the difference between IFF (Identify Friend or Foe) systems and Hopping Code applications?
    A: In IFF systems, a challenge-response protocol is carried out between receiver and remote control, with plain- and ciphertexts being transmitted via the air channel. The plaintexts for Hopping Code applications is kept secret in the remote control, i.e., every time the button of the remote control is pressed, a new ciphertext is generated from the secret plaintext.

    Q: What is the difference between a manufacturer key and a device key ?
    A: A device key is unique for each remote control and stored in its secret memory, so that the remote control can be identified by a receiver. The manufacturer key is stored in a secret memory in the receiver - possessing it allows for creating new device keys and cloning remote controls of that particular manufacturer.

    Q: Why can't the previously published attacks be applied to KeeLoq Hopping Code schemes ?
    A: The previously published attack is extremely impressive from a mathematical and cryptographic point of view. The best attack published so far require 65536 pairs of plain and ciphertexts for computing a KeeLoq device key . However, there are two shortcomings for practical systems. First, the attack is only applicable if KeeLoq is used as IFF system. However, in most applications, KeeLoq is used as a Hopping Code scheme. Secondly, even if KeeLoq is used in IFF mode, the manufacturer key can only be computed from the device key if a weak derivation scheme is used which employes only XOR operation. Many real world systems use stronger key derivation scheme based on the KeeLoq algorithm itself.

    Miscellaneous


    Q: I want a really secure access control system, who can help me?
    A: We do: www.crypto.rub.de
    Q: Isn't it irresponsible to do research on security weaknesses?
    A: No! Trying to analyse security system and to publish those results has been the central rule of the scientific community in the field of cryptography for more than 30 years. It is the daily work of 1000s of scientist worldwide - most of them at universities but quite a few also in industry - to find weaknesses in security systems and to publish those findings. Why are they doing this? Time has shown over and over again that the only way to build truly secure systems is to have them analized by outsiders. "Analyzed" means, of course, trying to break them. Otherwise consumers and companies who use security systems will never know whether they are secure or not.
    Essentially every single security systems whose security relied on obscurity (i.e., the details were kept secret) was broken once the details of the system - for instance, the cipher algorithm - had become publically known. It is extremely instructive that the NSA (National Security Agency of the USA, by far the largest code breaking and code making organisation in the world) recommends the public cipher AES (Advanced Encryption Standard) for encrypting information for the US Government up to the level of Top Secret. One wonders: if even NSA relies on public algorithms, why are people using untested algorithms in commercial products?